[Glibc-bsd-commits] r1653 - in trunk/kfreebsd-6/debian: . patches
Petr Salinger
ps-guest at costa.debian.org
Thu Aug 31 17:56:44 UTC 2006
Author: ps-guest
Date: 2006-08-31 17:56:44 +0000 (Thu, 31 Aug 2006)
New Revision: 1653
Added:
trunk/kfreebsd-6/debian/patches/000_ppp.diff
Modified:
trunk/kfreebsd-6/debian/changelog
Log:
* fix buffer overflow in sppp (FreeBSD-SA-06:08.ppp / CVE-2006-4304).
Modified: trunk/kfreebsd-6/debian/changelog
===================================================================
--- trunk/kfreebsd-6/debian/changelog 2006-08-25 19:20:36 UTC (rev 1652)
+++ trunk/kfreebsd-6/debian/changelog 2006-08-31 17:56:44 UTC (rev 1653)
@@ -1,10 +1,14 @@
kfreebsd-6 (6.1-0.2) UNRELEASED; urgency=low
+ [ Aurelien Jarno ]
* patches/999_config.diff: remove COMPAT_LINUX from amd64.
+ [ Petr Salinger ]
+ * Fix buffer overflow in sppp (FreeBSD-SA-06:08.ppp / CVE-2006-4304).
+
-- Aurelien Jarno <aurel32 at debian.org> Thu, 17 Aug 2006 11:48:07 +0200
-kfreebsd-6 (6.1-0.1) UNRELEASED; urgency=low
+kfreebsd-6 (6.1-0.1) unreleased; urgency=low
[ Petr Salinger ]
* New upstream version (RELENG_6_1_0_RELEASE)
Added: trunk/kfreebsd-6/debian/patches/000_ppp.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_ppp.diff (rev 0)
+++ trunk/kfreebsd-6/debian/patches/000_ppp.diff 2006-08-31 17:56:44 UTC (rev 1653)
@@ -0,0 +1,134 @@
+
+Topic: Buffer overflow in sppp
+CVE Name: CVE-2006-4304
+
+# fetch http://security.FreeBSD.org/patches/SA-06:18/ppp.patch
+
+
+Index: sys/net/if_spppsubr.c
+===================================================================
+RCS file: /home/ncvs/src/sys/net/if_spppsubr.c,v
+retrieving revision 1.124
+diff -u -I__FBSDID -r1.124 if_spppsubr.c
+--- sys/net/if_spppsubr.c 15 Jul 2006 02:49:35 -0000 1.124
++++ sys/net/if_spppsubr.c 21 Aug 2006 11:32:49 -0000
+@@ -2363,7 +2363,8 @@
+
+ /* pass 1: check for things that need to be rejected */
+ p = (void*) (h+1);
+- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++ for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++ len-=p[1], p+=p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_lcp_opt_name(*p));
+ switch (*p) {
+@@ -2442,7 +2443,8 @@
+
+ p = (void*) (h+1);
+ len = origlen;
+- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++ for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++ len-=p[1], p+=p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_lcp_opt_name(*p));
+ switch (*p) {
+@@ -2584,7 +2586,8 @@
+ SPP_ARGS(ifp));
+
+ p = (void*) (h+1);
+- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++ for (; len >= 2 && p[1] >= 2 && len >= p[1];
++ len -= p[1], p += p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_lcp_opt_name(*p));
+ switch (*p) {
+@@ -2648,7 +2651,8 @@
+ SPP_ARGS(ifp));
+
+ p = (void*) (h+1);
+- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++ for (; len >= 2 && p[1] >= 2 && len >= p[1];
++ len -= p[1], p += p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_lcp_opt_name(*p));
+ switch (*p) {
+@@ -3039,7 +3043,8 @@
+ log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
+ SPP_ARGS(ifp));
+ p = (void*) (h+1);
+- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++ for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++ len-=p[1], p+=p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ switch (*p) {
+@@ -3108,7 +3113,8 @@
+ SPP_ARGS(ifp));
+ p = (void*) (h+1);
+ len = origlen;
+- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++ for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++ len-=p[1], p+=p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ switch (*p) {
+@@ -3239,7 +3245,8 @@
+ SPP_ARGS(ifp));
+
+ p = (void*) (h+1);
+- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++ for (; len >= 2 && p[1] >= 2 && len >= p[1];
++ len -= p[1], p += p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ switch (*p) {
+@@ -3285,7 +3292,8 @@
+ SPP_ARGS(ifp));
+
+ p = (void*) (h+1);
+- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++ for (; len >= 2 && p[1] >= 2 && len >= p[1];
++ len -= p[1], p += p[1]) {
+ if (debug)
+ log(-1, " %s ", sppp_ipcp_opt_name(*p));
+ switch (*p) {
+@@ -3511,7 +3519,8 @@
+ SPP_ARGS(ifp));
+ p = (void*) (h+1);
+ ifidcount = 0;
+- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++ for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++ len-=p[1], p+=p[1]) {
+ if (debug)
+ log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ switch (*p) {
+@@ -3561,7 +3570,8 @@
+ p = (void*) (h+1);
+ len = origlen;
+ type = CONF_ACK;
+- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
++ for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
++ len-=p[1], p+=p[1]) {
+ if (debug)
+ log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ switch (*p) {
+@@ -3660,7 +3670,8 @@
+ SPP_ARGS(ifp));
+
+ p = (void*) (h+1);
+- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++ for (; len >= 2 && p[1] >= 2 && len >= p[1];
++ len -= p[1], p += p[1]) {
+ if (debug)
+ log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ switch (*p) {
+@@ -3706,7 +3717,8 @@
+ SPP_ARGS(ifp));
+
+ p = (void*) (h+1);
+- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
++ for (; len >= 2 && p[1] >= 2 && len >= p[1];
++ len -= p[1], p += p[1]) {
+ if (debug)
+ log(-1, " %s", sppp_ipv6cp_opt_name(*p));
+ switch (*p) {
More information about the Glibc-bsd-commits
mailing list